Cisco ISE Deployment

Some good references

Setting Up Cisco ISE in a Distributed Environment
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html

Cisco TrustSec How-To Guide: ISE Deployment Types and Guidelines
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_50_ise_deployment_tg.pdf
In midsize to large enterprise deployments, ISE functions can be divided into several dedicated service nodes called “personas.” E.g. “Policy Administration Node (PAN)”,  “Policy Service Node (PSN)”,  “Monitoring Node (MNT)” and “Inline Posture Node (IPN)”. The main goal of dividing into dedicated service nodes is to distribute the load and traffic caused by authentication services, and to avoid points of failure by centralizing service in one appliance.

Check out

- Basic 2-Node (Redundant) Deployment: Up to 2,000 Endpoints. (SMB) When ISE appliances form redundancy, you can configure them to serve as primary and secondary nodes for administration and monitoring services. Having a single primary administration node and multiple secondary nodes is sometime referred as an ISE distributed deployment.

- Distributed Deployment: 2,000 to 10,000 Endpoints. (detaching the PSN from the PAN or MNT s) In this type of distributed deployment, we recommend two sets of Cisco ISE nodes for admin and monitoring functions and up to five PSNs. If you have more than two PSNs in single location, you can cluster those PSNs behind a load-balancing device (such as a Cisco Application Control Engine) for better performance. Additionally, other network access devices (NADs), such as ones in the second campus network, can point to the headquarter PSN as a secondary RADIUS server for high-availability purposes.

- Distributed Deployment: Up to 100,000 Endpoints (Maximum). ( separated to dedicated appliances ). ISE supports up to two dedicated PANs and two dedicated MNTs. Each dedicated appliance can serve as primary and secondary node to maintain resiliency in case of service failure. When these nodes are separated on dedicated appliances, the number of supported PSNs also increases. With 2x PANs and 2x MNTs, ISE supports up to 40 PSNs, supporting 100,000 endpoints concurrently.  If your company has a single data center, primary and secondary PANs and MNTs can be connected in different segments. With multiple data centers, it is more common to separate those personas in each data center location for disaster recovery (DR) purposes. Of course, the personas communicate with each other to synchronize endpoint data, session information and state, and configuration changes. With distributed personas, it is important to understand the types of communication between nodes to prevent a node from going out of sync.

A distributed deployment design needs to support all the required communication protocols between personas. For instance, PAN and PSN communicate to replicate and synchronize policy and configurations. Those two appliances use HTTPS (TCP/443) and Oracle DB Listener and AQ (TCP/1521) to perform replication and synchronization. ICMP is also used to perform a heartbeat between the PAN and PSN

Simply put, failover just happens.  You list both ISE boxes in the NAC client if they're running the PSN persona.

For this from the switch perspective should i configure both the ISE IP Address as active standby.
So in case if my primary site is down will it point to the secondary site IP Address.
Is it recommended to have the redundancy at local site or is it sufficient to have redundancy at site level across 2 DC.

Yes, configure both on the switch, but remember to include both in any ACLs you have configured.

Redundancy scenarios depend on how your network is designed and how much redundancy you want.  It's quite common for ISE servers to be distributed across L3 boundaries in separate DCs for example.

Agree with Craigbeck, that is the normal for HA. And clustering with heartbeat is the normal as well. Even applicable during upgrade of switches to ensure alternate route are always make available.

Also at least one node in your distributed setup should assume the Monitoring persona. We recommend that you not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. You may want to consider the node be dedicated solely to monitoring for optimum performance. Others for redundancy
a) there must be at least one Monitoring ISE node in a distributed deployment. At the time of configuring your primary Administration ISE node, you must enable the Monitoring persona. After you have registered a secondary Monitoring ISE node in your deployment, you can edit the primary Administration ISE node and disable the Monitoring persona, if required.
b) When you register an ISE node as a secondary node, Cisco ISE immediately creates a database link from the primary to the secondary node and begins the process of replication. Replication is the process of sharing ISE configuration data from the primary to the secondary nodes. Replication ensures consistency among the configuration data present in all the ISE nodes that are part of your deployment.

If I may extract below for info

Guidelines for Setting Up a Distributed Deployment
Read the following statements carefully before you set up Cisco ISE in a distributed environment:
•There are two types of nodes in a Cisco ISE distributed deployment: the ISE node and the Inline Posture node. An ISE node can assume the Administration, Policy Service, and Monitoring personas at the same time. An ISE node can be a primary, secondary, or standalone node.

•The Administration, Policy Service, and Monitoring personas will be enabled by default in a standalone ISE node.

•You must first configure a primary Administration ISE node and then register secondary nodes to set up a distributed deployment.

•There can be only one primary ISE node in a distributed deployment and it must assume the Administration persona. You can have a maximum of two ISE nodes that assume the Administration persona, one being your primary and the other a secondary node.

•All Cisco ISE system-related configuration and configuration related to functionality should be done only on the primary Administration ISE node. The configuration changes that you perform on the primary Administration ISE node is replicated to all the secondary nodes in your deployment.

•When the primary Administration ISE node goes down, you must log into the user interface of the secondary Administration ISE node and make it the primary node.

•The Inline Posture node requires a dedicated node. No other persona or service can run on a node that is designated as an Inline Posture node.

•A properly configured Domain Name System (DNS) server is required for a distributed deployment to work correctly. You must enter the IP addresses and fully qualified domain names (FQDNs) of the ISE nodes that are part of your distributed deployment in the DNS server.

•If you want to uninstall Cisco ISE from a secondary node, you must first deregister it from the primary Administration ISE node. You can then reimage the standalone node and reregister it with the primary Administration ISE node.

Does ISE supports for the 802.1x MAC authentication for the PC's which are connecting to the Wired & Wireless network.
I want the PC's to authenticated based on their MAC Address using the ISE.
Let me know if this is possible.

My understanding it is possible using MAC via the MAB (MAC Authentication Bypass)
If a device (endpoint) does not support 802.1x, MAC address authentication can be used, based on the MAC address of the device. Offcourse, it is less secure because of MAC address spoofing. Hashing and encryption is not really needed because username and password are both the MAC address. EAP-MD5 or PAP is not always necessary.

the normal MAB scheme uses 4 phases during operations of the endpoint:
Phase 1: initation, this will timeout because there is no 802.1x response
Phase 2: MAC learning, the NAD will check the MAC address with ISE after the endpoint sends the first packet
Phase 3: Authorization, ISE can push some DACL or other authorization objects like VLANs
Phase 4: Accounting

I just answered your other question, but I'll repeat here...

MAB is available in ISE.  There is already a policy in ISE to do wireless and wired MAB so you just configure your switches for 802.1x and MAB then add the MAC addresses to the internal endpoints database.

thanks.
checking this out.

Thanks